[seam-issues] [JBoss JIRA] (JBSEAM-5130) Add security warning to seam logging docs

Marek Novotny (JIRA) jira-events at lists.jboss.org
Thu Nov 21 07:08:06 EST 2013 

    [ https://issues.jboss.org/browse/JBSEAM-5130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925694#comment-12925694 ] 

Marek Novotny commented on JBSEAM-5130:
---------------------------------------

I already added similar warning in relation to https://issues.jboss.org/browse/JBSEAM-5128

Commit is here https://github.com/seam2/jboss-seam/commit/14be4608bda294ec997fa112c7baff2637e07315

Wrt updating old released Seam documentation I am not really sure I will do that as we have there docs hardly joined with existing released tags and they are immutable. Seam users which downloaded old Seam distributions still have got the documentation without warning and after editing also different from the on-line Seam documentation :(
                
> Add security warning to seam logging docs
> -----------------------------------------
>
>                 Key: JBSEAM-5130
>                 URL: https://issues.jboss.org/browse/JBSEAM-5130
>             Project: Seam 2
>          Issue Type: Bug
>          Components: Documentation Issues
>    Affects Versions: 2.2.2.Final, 2.3.0.Final, 2.3.1.Final
>            Reporter: David Jorm
>            Priority: Critical
>
> It has been reported that seam parses expression language (EL) statements in log messages. This is safe if used as intended - all user-provided input is supposed to be bound to a variable in the EL, conceptually similar to bound parameters in SQL. If an application did not use the Seam logging facility as intended, and included user-provided strings in log messages directly via string concatenation, then a remote attacker could use this flaw to execute arbitrary code in the context of the application server. The documentation does not highlight this issue at all, and it seems to be highly likely that some seam-based application developers would have used string concatenation with user-provided strings in log messages.
> This needs to be addressed in all seam docs as a priority:
> http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
> http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
> http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254
> I suggest adding a big red warning admonition such as:
> Title: 
> SECURITY WARNING: Do not use string concatenation to construct log messages
> Body:
> Seam logging evaluates expression language (EL) statements in log messages. This is safe if used as intended, because all user-provided input is bound to a parameter in the EL statement. If an application does not use the Seam logging facility as intended, and includes user-provided strings in log messages directly via string concatenation, then a remote attacker could inject EL statements directly into the log messages, which would be evaluated on the server. This could lead to a variety of security impacts. To protect against this issue, ensure that all user-provided input in log messages is bound to a parameter, and not included directly in log messages using string concatenation.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list